Vulnerability Name:

CVE-2022-22719 (CCN-221667)

Assigned:2022-03-14
Published:2022-03-14
Updated:2022-11-02
Summary:A carefully crafted request body can cause a read to a random memory area which could cause the process to crash. This issue affects Apache HTTP Server 2.4.52 and earlier.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-665
CWE-908
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2022-22719

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-4 Security Update 2022-004 Catalina

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-3 macOS Big Sur 11.6.6

Source: FULLDISC
Type: Mailing List, Third Party Advisory
20220516 APPLE-SA-2022-05-16-2 macOS Monterey 12.4

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20220314 CVE-2022-22719: Apache HTTP Server: mod_lua Use of uninitialized value of in r:parsebody

Source: XF
Type: UNKNOWN
apache-http-cve202222719-dos(221667)

Source: CCN
Type: Apache Web site
mod_lua Use of uninitialized value of in r:parsebody

Source: MISC
Type: Vendor Advisory
https://httpd.apache.org/security/vulnerabilities_24.html

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220322 [SECURITY] [DLA 2960-1] apache2 security update

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-b4103753e9

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-78e3211c55

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-21264ec6db

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-20

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20220321-0001/

Source: CCN
Type: Apple security document HT213255
About the security content of Security Update 2022-004 Catalina

Source: CCN
Type: Apple security document HT213256
About the security content of macOS Big Sur 11.6.6

Source: CCN
Type: Apple security document HT213257
About the security content of macOS Monterey 12.4

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213255

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213256

Source: CONFIRM
Type: Third Party Advisory
https://support.apple.com/kb/HT213257

Source: CCN
Type: IBM Security Bulletin 6565413 (HTTP Server)
Multiple vulnerabilities in IBM HTTP Server used by IBM WebSphere Application Server (CVE-2022-22719, CVE-2022-22720, CVE-2022-22721)

Source: CCN
Type: IBM Security Bulletin 6587106 (Netezza Performance Portal)
Vulnerabilities in IBM HTTP Server affect IBM Netezza Performance Portal

Source: CCN
Type: IBM Security Bulletin 6590977 (Tivoli Monitoring)
Multiple vulnerabilities affect IBM Tivoli Monitoring included WebSphere Application Server and IBM HTTP Server used by WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 6591347 (Security SiteProtector System)
IBM Security SiteProtector System is affected by multiple Apache HTTP Server Vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6602999 (Rational Build Forge)
IBM Rational Build Forge is affected by Apache Http Server version used in it. (CVE-2022-22719)

Source: CCN
Type: IBM Security Bulletin 6618941 (Aspera Faspex)
IBM Aspera Faspex 4.4.2 has addressed multiple security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6837585 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container DesignerAuthoring operands that use Mapping Assistance may be vulnerable to denial of service due to CVE-2022-22719

Source: CCN
Type: IBM Security Bulletin 6952343 (Aspera Orchestrator)
IBM Aspera Orchestrator affected by denial of service vulnerability (CVE-2022-22719)

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apache:http_server:*:*:*:*:*:*:*:* (Version <= 2.4.52)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:36:*:*:*:*:*:*:*

    • Configuration 4:
  • cpe:/a:oracle:http_server:12.2.1.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:http_server:12.2.1.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*

    • Configuration 5:
  • cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version < 10.15.7)
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2020-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-002:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:*:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-003:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-004:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-005:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-006:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-007:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2021-008:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-001:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-002:*:*:*:*:*:*
  • OR cpe:/o:apple:mac_os_x:10.15.7:security_update_2022-003:*:*:*:*:*:*
  • OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.6.6)
  • OR cpe:/o:apple:macos:*:*:*:*:*:*:*:* (Version >= 12.0.0 and < 12.4)

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration RedHat 3:
  • cpe:/a:redhat:enterprise_linux:9:*:*:*:*:*:*:*

    • Configuration RedHat 4:
  • cpe:/a:redhat:enterprise_linux:9::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apache:http_server:2.4.7:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.8:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.9:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.10:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.12:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.18:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.20:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.17:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.23:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.29:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.33:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.30:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.25:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.26:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.27:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.28:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.34:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.35:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.36:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.37:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.38:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.38:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.39:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.16:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.41:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.43:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.46:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.48:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.49:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.50:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.51:*:*:*:*:*:*:*
  • OR cpe:/a:apache:http_server:2.4.52:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:http_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:http_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:http_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_siteprotector_system:3.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:aspera_faspex:4.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:4.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:7434
    P
    		apache2-2.4.51-150400.6.11.1 on GA media (Moderate)
    2023-06-12
    oval:com.redhat.rhsa:def:20228067
    P
    		RHSA-2022:8067: httpd security, bug fix, and enhancement update (Moderate)
    2022-11-15
    oval:com.redhat.rhsa:def:20227647
    P
    		RHSA-2022:7647: httpd:2.4 security update (Moderate)
    2022-11-08
    oval:org.opensuse.security:def:3463
    P
    		cups-1.7.5-20.23.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94492
    P
    		apache2-2.4.51-150400.4.6 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95093
    P
    		apache2-devel-2.4.51-150400.4.6 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:2862
    P
    		apache2-2.4.51-150400.4.6 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:119164
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:102081
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:99192
    P
    		 (Important)
    2022-03-29
    oval:org.opensuse.security:def:118667
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:1652
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:100389
    P
    		 (Important)
    2022-03-29
    oval:org.opensuse.security:def:119353
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:102228
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:99462
    P
    		 (Important)
    2022-03-29
    oval:org.opensuse.security:def:118857
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:100722
    P
    		 (Important)
    2022-03-29
    oval:org.opensuse.security:def:119538
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:842
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:99724
    P
    		 (Important)
    2022-03-29
    oval:org.opensuse.security:def:119043
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:101573
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:1501
    P
    		Security update for apache2 (Important)
    2022-03-29
    oval:org.opensuse.security:def:100055
    P
    		 (Important)
    2022-03-29
    oval:org.opensuse.security:def:126988
    P
    		Security update for apache2 (Important)
    2022-03-21
    oval:org.opensuse.security:def:127386
    P
    		Security update for apache2 (Important)
    2022-03-21
    oval:org.opensuse.security:def:5376
    P
    		Security update for apache2 (Important)
    2022-03-21
    oval:org.opensuse.security:def:125826
    P
    		Security update for apache2 (Important)
    2022-03-21
    oval:org.opensuse.security:def:6205
    P
    		Security update for apache2 (Important)
    2022-03-21
    BACK
    apache http server *
    debian debian linux 9.0
    fedoraproject fedora 34
    fedoraproject fedora 35
    fedoraproject fedora 36
    oracle http server 12.2.1.3.0
    oracle http server 12.2.1.4.0
    oracle zfs storage appliance kit 8.8
    apple macos *
    apple mac os x 10.15.7 security_update_2020-001
    apple mac os x 10.15.7 security_update_2021-001
    apple mac os x 10.15.7 security_update_2021-002
    apple mac os x 10.15.7
    apple mac os x 10.15.7 security_update_2021-003
    apple mac os x 10.15.7 security_update_2021-004
    apple mac os x 10.15.7 security_update_2021-005
    apple mac os x 10.15.7 security_update_2021-006
    apple mac os x 10.15.7 security_update_2021-007
    apple mac os x 10.15.7 security_update_2021-008
    apple mac os x 10.15.7 security_update_2022-001
    apple mac os x 10.15.7 security_update_2022-002
    apple mac os x 10.15.7 security_update_2022-003
    apple macos *
    apple macos *
    apache http server 2.4.7
    apache http server 2.4.8
    apache http server 2.4.9
    apache http server 2.4.10
    apache http server 2.4.12
    apache http server 2.4.18
    apache http server 2.4.20
    apache http server 2.4.17
    apache http server 2.4.23
    apache http server 2.4.29
    apache http server 2.4.33
    apache http server 2.4.30
    apache http server 2.4.25
    apache http server 2.4.26
    apache http server 2.4.27
    apache http server 2.4.28
    apache http server 2.4.34
    apache http server 2.4.35
    apache http server 2.4.36
    apache http server 2.4.37
    apache http server 2.4.38
    apache http server 2.4.38
    apache http server 2.4.39
    apache http server 2.4.16
    apache http server 2.4.41
    apache http server 2.4.43
    apache http server 2.4.46
    apache http server 2.4.48
    apache http server 2.4.49
    apache http server 2.4.50
    apache http server 2.4.51
    apache http server 2.4.52
    ibm http server 7.0
    ibm http server 8.0
    ibm http server 8.5
    ibm tivoli monitoring 6.3.0
    ibm security siteprotector system 3.1.1
    ibm aspera faspex 4.4.1
    ibm app connect enterprise certified container 4.2